Understanding IPv6 ACLs

This section describes the mechanism of an IPv6 ACL that applies to the FW.

IPv6 ACL Types

The FW supports basic and advanced ACLs, as shown in Table 1.

**Table 1** IPv6 ACL types
Type	ACL Number Range	Filtering Criteria
Basic ACL	2000 to 2999	Basic ACLs filter traffic by source IP address.
Advanced IPv6 ACL	3000 to 3999	Advanced ACLs filter traffic by source address, destination address, protocol type and attribute, for example, the TCP source or destination port, and the type and code of the Internet Control Management Protocol version 6 (ICMPv6) messages.

Matching Order

An IPv6 ACL is composed of multiple permit or deny statements. The statements describe different rules, which may be repeated or inconsistent.

You need to match data flows with IPv6 ACL rules based on the following rules:

In the same ACL rule group, the ACL rule with the smaller rule-id is matched first.
In the different ACL rule group, the matching is based on the sequence of ACLs configured by the user.

Once a data flow is successfully matched with a rule, the matching of this data flow does not continue. The FW performs subsequent operations to this data flow according to the rule.

Operating Process of an IPv6 ACL

An IPv6 ACL must be referenced to take effect. The operating process of an IPv6 ACL on the FW is as follows:

After a packet related to a feature that references an IPv6 ACL arrives the FW, the FW checks whether the referenced IPv6 ACL exists. If the IPv6 ACL exists, the FW performs the next step. If the IPv6 ACL does not exist, the FW discards the packet.
The FW searches the rules of the IPv6 ACL. If a match is found, the rest of the rules are skipped, and the packet is permitted or denied as determined by the matched rule.